[Dnsmasq-discuss] Segfault when no uplink dns server is available
Simon Kelley
simon at thekelleys.org.uk
Mon Mar 6 23:35:47 UTC 2023
Right, that's a different bug then.
Fix here.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f5ef0f064c3f06b250a9eeda36dc239227658b00
Cheers,
Simon.
On 06/03/2023 16:58, Daniel Danzberger wrote:
> It's from the current master branch:
> commit 5dc14b6e05f39a5ab0dc02e376b1d7da2fda5bc1 (HEAD -> master, tag: v2.89)
>
> On Mon, 2023-03-06 at 16:11 +0000, Simon Kelley wrote:
>>
>> Thanks for the comprehensive analysis.
>>
>> You don't mention what version of dnsmasq you were testing.
>>
>>
>> I think that this was fixed in release 2.88, the commit is:
>>
>> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2fc904111d9b6ec45fc1e4ec9f1f8b43c1e67b9b
>>
>> If you were testing 2.88 or 2.89 then we'll need to look again.
>>
>>
>>
>> Cheers,
>>
>> Simon.
>>
>> On 01/03/2023 15:58, Daniel Danzberger wrote:
>>> Hi,
>>>
>>> the segfault occurs when a custom 'server=/domain.test/#' entry is defined in the config,
>>> but no upstream dns server is available yet.
>>>
>>> The full valgrind crash log and config to reproduce the issue are below:
>>>
>>> root at lappi:[dnsmasq]:# valgrind --track-origins=yes ./src/dnsmasq --conf-file=/tmp/dnsmasq.conf -k
>>> ==683879== Memcheck, a memory error detector
>>> ==683879== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
>>> ==683879== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
>>> ==683879== Command: ./src/dnsmasq --conf-file=/tmp/dnsmasq.conf -k
>>> ==683879==
>>> ==683879== Warning: invalid file descriptor 1024 in syscall close()
>>> ==683879== Warning: invalid file descriptor 1025 in syscall close()
>>> ==683879== Warning: invalid file descriptor 1026 in syscall close()
>>> ==683879== Warning: invalid file descriptor 1027 in syscall close()
>>> ==683879== Use --log-fd=<number> to select an alternative log fd.
>>> ==683879== Warning: invalid file descriptor 1028 in syscall close()
>>> ==683879== Warning: invalid file descriptor 1029 in syscall close()
>>> ==683879== Warning: invalid file descriptor 1030 in syscall close()
>>> ==683879== Invalid read of size 4
>>> ==683879== at 0x129BED: forward_query (forward.c:353)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
>>> ==683879== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
>>> ==683879== by 0x11AD60: safe_malloc (util.c:302)
>>> ==683879== by 0x11C3CC: opt_malloc (option.c:633)
>>> ==683879== by 0x11C3CC: opt_string_alloc (option.c:645)
>>> ==683879== by 0x11F03B: one_opt (option.c:2346)
>>> ==683879== by 0x125578: read_file (option.c:5381)
>>> ==683879== by 0x125A0B: one_file (option.c:5487)
>>> ==683879== by 0x126608: read_opts (option.c:5854)
>>> ==683879== by 0x10FA0C: main (dnsmasq.c:104)
>>> ==683879==
>>> ==683879== Invalid write of size 4
>>> ==683879== at 0x129BF7: forward_query (forward.c:353)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
>>> ==683879== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
>>> ==683879== by 0x11AD60: safe_malloc (util.c:302)
>>> ==683879== by 0x11C3CC: opt_malloc (option.c:633)
>>> ==683879== by 0x11C3CC: opt_string_alloc (option.c:645)
>>> ==683879== by 0x11F03B: one_opt (option.c:2346)
>>> ==683879== by 0x125578: read_file (option.c:5381)
>>> ==683879== by 0x125A0B: one_file (option.c:5487)
>>> ==683879== by 0x126608: read_opts (option.c:5854)
>>> ==683879== by 0x10FA0C: main (dnsmasq.c:104)
>>> ==683879==
>>> ==683879== Invalid read of size 8
>>> ==683879== at 0x129C07: forward_query (forward.c:354)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x4a60558 is 24 bytes before a block of size 11 alloc'd
>>> ==683879== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
>>> ==683879== by 0x11AD60: safe_malloc (util.c:302)
>>> ==683879== by 0x11C3CC: opt_malloc (option.c:633)
>>> ==683879== by 0x11C3CC: opt_string_alloc (option.c:645)
>>> ==683879== by 0x11F03B: one_opt (option.c:2346)
>>> ==683879== by 0x125578: read_file (option.c:5381)
>>> ==683879== by 0x125A0B: one_file (option.c:5487)
>>> ==683879== by 0x126608: read_opts (option.c:5854)
>>> ==683879== by 0x10FA0C: main (dnsmasq.c:104)
>>> ==683879==
>>> ==683879== Invalid write of size 4
>>> ==683879== at 0x129502: forward_query (forward.c:358)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x4a60560 is 16 bytes before a block of size 11 alloc'd
>>> ==683879== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
>>> ==683879== by 0x11AD60: safe_malloc (util.c:302)
>>> ==683879== by 0x11C3CC: opt_malloc (option.c:633)
>>> ==683879== by 0x11C3CC: opt_string_alloc (option.c:645)
>>> ==683879== by 0x11F03B: one_opt (option.c:2346)
>>> ==683879== by 0x125578: read_file (option.c:5381)
>>> ==683879== by 0x125A0B: one_file (option.c:5487)
>>> ==683879== by 0x126608: read_opts (option.c:5854)
>>> ==683879== by 0x10FA0C: main (dnsmasq.c:104)
>>> ==683879==
>>> ==683879== Invalid write of size 8
>>> ==683879== at 0x12950C: forward_query (forward.c:357)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x4a60558 is 24 bytes before a block of size 11 alloc'd
>>> ==683879== at 0x48455EF: calloc (vg_replace_malloc.c:1328)
>>> ==683879== by 0x11AD60: safe_malloc (util.c:302)
>>> ==683879== by 0x11C3CC: opt_malloc (option.c:633)
>>> ==683879== by 0x11C3CC: opt_string_alloc (option.c:645)
>>> ==683879== by 0x11F03B: one_opt (option.c:2346)
>>> ==683879== by 0x125578: read_file (option.c:5381)
>>> ==683879== by 0x125A0B: one_file (option.c:5487)
>>> ==683879== by 0x126608: read_opts (option.c:5854)
>>> ==683879== by 0x10FA0C: main (dnsmasq.c:104)
>>> ==683879==
>>> ==683879== Invalid read of size 4
>>> ==683879== at 0x1289B5: allocate_rfd (forward.c:2563)
>>> ==683879== by 0x1291BE: forward_query (forward.c:498)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== Address 0x3 is not stack'd, malloc'd or (recently) free'd
>>> ==683879==
>>> ==683879==
>>> ==683879== Process terminating with default action of signal 11 (SIGSEGV)
>>> ==683879== Access not within mapped region at address 0x3
>>> ==683879== at 0x1289B5: allocate_rfd (forward.c:2563)
>>> ==683879== by 0x1291BE: forward_query (forward.c:498)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> ==683879== by 0x110B38: main (dnsmasq.c:1264)
>>> ==683879== If you believe this happened as a result of a stack
>>> ==683879== overflow in your program's main thread (unlikely but
>>> ==683879== possible), you can try to increase the size of the
>>> ==683879== main thread stack using the --main-stacksize= flag.
>>> ==683879== The main thread stack size used in this run was 8388608.
>>> ==683879==
>>> ==683879== HEAP SUMMARY:
>>> ==683879== in use at exit: 42,261 bytes in 187 blocks
>>> ==683879== total heap usage: 243 allocs, 56 frees, 138,085 bytes allocated
>>> ==683879==
>>> ==683879== LEAK SUMMARY:
>>> ==683879== definitely lost: 0 bytes in 0 blocks
>>> ==683879== indirectly lost: 0 bytes in 0 blocks
>>> ==683879== possibly lost: 36 bytes in 1 blocks
>>> ==683879== still reachable: 42,225 bytes in 186 blocks
>>> ==683879== suppressed: 0 bytes in 0 blocks
>>> ==683879== Rerun with --leak-check=full to see details of leaked memory
>>> ==683879==
>>> ==683879== For lists of detected and suppressed errors, rerun with: -s
>>> ==683879== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
>>> ==683879== could not unlink /tmp/vgdb-pipe-from-vgdb-to-683879-by-daniel-on-???
>>> ==683879== could not unlink /tmp/vgdb-pipe-to-vgdb-from-683879-by-daniel-on-???
>>> ==683879== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-683879-by-daniel-on-???
>>> Segmentation fault
>>>
>>>
>>> /tmp/dnsmasq.conf:
>>> --
>>> domain-needed
>>> localise-queries
>>> read-ethers
>>> expand-hosts
>>> bind-dynamic
>>> local-service
>>> edns-packet-max=1232
>>> domain=lan
>>> local=/lan/
>>> server=/sub.domain.test/#
>>> server=/domain.test/8.8.8.8
>>> addn-hosts=/tmp/hosts
>>> resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
>>> stop-dns-rebind
>>> rebind-localhost-ok
>>> conf-dir=/tmp/dnsmasq.d
>>> bogus-priv
>>> --
>>>
>>> To trigger the issue, pass a simple dns request to the running dnsmasq instance.
>>> I.e. with: # dig sub.domain.test @localhost
>>>
>>>
>>> The first invalid memory access happens, when the 'struct server' of the matching domain is accessed here:
>>> --
>>> ==683879== Invalid read of size 4
>>> ==683879== at 0x129BED: forward_query (forward.c:353)
>>> ==683879== by 0x12A756: receive_query (forward.c:1869)
>>> ==683879== by 0x12ECEA: check_dns_listeners (dnsmasq.c:1843)
>>> if (!option_bool(OPT_ORDER))
>>> {https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2fc904111d9b6ec45fc1e4ec9f1f8b43c1e67b9b
>>> if (master->forwardcount++ > FORWARD_TEST ||
>>> difftime(now, master->forwardtime) > FORWARD_TIME ||
>>> master->last_server == -1)
>>> {
>>> master->forwardtime = now;
>>> master->forwardcount = 0;
>>> forward->forwardall = 1;
>>> }
>>> else
>>> start = master->last_server;
>>> }
>>> --
>>>
>>> The server struct has been allocated here with only 'size' bytes and not the full length of the server struct.
>>> Which causes the member access beyond 'size' to read/write into unwanted memory.
>>> src/domain-match.c:565
>>> --
>>> if (flags & SERV_6ADDR)
>>> size = sizeof(struct serv_addr6);
>>> else if (flags & SERV_4ADDR)
>>> size = sizeof(struct serv_addr4);
>>> else
>>> size = sizeof(struct serv_local);
>>>
>>> if (!(serv = whine_malloc(size)))
>>> {
>>> free(alloc_domain);
>>> return 0;
>>> }
>>> --
>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
>
>
More information about the Dnsmasq-discuss
mailing list